CVE-2026-12902 in Kadence Blocks Plugin
Summary
by MITRE • 07/01/2026
The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create arbitrary Media Library attachments by downloading remote images to the site's uploads directory via wp_upload_bits() and wp_insert_attachment(), bypassing the upload_files capability boundary.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/01/2026
The Kadence Blocks plugin for WordPress represents a widely used page builder toolkit that integrates with the Gutenberg editor interface. This vulnerability affects all versions up to and including 3.7.7, creating a significant authorization bypass flaw that directly undermines the plugin's security model. The vulnerability stems from improper capability verification within the plugin's core functionality, specifically in how it handles user permissions when processing media uploads through the WordPress Media Library system.
The technical implementation of this vulnerability occurs through the exploitation of the wp_upload_bits() and wp_insert_attachment() WordPress functions which are typically protected by proper capability checks. However, the Kadence Blocks plugin fails to enforce adequate authorization boundaries during these operations, allowing authenticated users with contributor-level privileges or higher to circumvent normal upload restrictions. This flaw operates at the application layer where the plugin's access control mechanisms are insufficiently validated against the standard WordPress user capability system.
Attackers leveraging this vulnerability can execute unauthorized media uploads by downloading remote images directly into the site's uploads directory, effectively bypassing the conventional upload_files capability requirement that should normally restrict such operations to users with appropriate permissions. The operational impact extends beyond simple unauthorized file creation, as this authorization bypass allows attackers to potentially introduce malicious content into the WordPress Media Library, which could then be used for further attacks including cross-site scripting or phishing campaigns.
This vulnerability aligns with CWE-863, which describes improper authorization conditions in software applications, and corresponds to ATT&CK technique T1078.004 related to valid accounts with elevated privileges. The flaw represents a critical security gap that could enable attackers to establish persistent presence within WordPress installations while maintaining their unauthorized access through legitimate user accounts. Organizations using this plugin should immediately update to patched versions or implement temporary mitigations such as restricting contributor-level capabilities and monitoring Media Library modifications for suspicious activity.
The vulnerability demonstrates the importance of proper input validation and capability verification in WordPress plugin development, particularly when handling sensitive operations like file uploads that interact with core WordPress functions. Security practitioners should also consider implementing additional monitoring solutions that track unauthorized access attempts to media libraries and maintain regular security audits of installed plugins to identify similar authorization bypass vulnerabilities across their WordPress environments.